b'Office of Audits and Evaluations\nReport No. AUD-13-007\n\n\nThe FDIC\xe2\x80\x99s Controls over Business Unit-\nLed Application Development Activities\n\n\n\n\n                                   September 2013\n\x0c                                     Executive Summary\n\n                                     The FDIC\xe2\x80\x99s Controls over Business Unit-Led\n                                     Application Development Activities\n                                                                                    Report No. AUD-13-007\n                                                                                           September 2013\n\nWhy We Did The Audit\n\nBusiness unit-led application development generally refers to the creation or enhancement of information\ntechnology (IT) solutions where the development is performed under the direction of an FDIC business\ndivision or office (referred to herein as a business unit), rather than the FDIC\xe2\x80\x99s Division of Information\nTechnology (DIT). In our most recent information security program evaluation report required by the\nFederal Information Security Management Act of 2002, we noted that such development activity presents\nrisk because it generally occurs outside of formal risk management and IT governance processes.\nAccordingly, we decided to review this area in more detail.\n\nThe objectives of the audit were to identify key risks associated with the FDIC\xe2\x80\x99s business unit-led\napplication development activities and to determine the extent to which controls have been established to\nmitigate those risks.\n\nBackground\n\nWithin the FDIC, DIT has primary responsibility for managing the FDIC\xe2\x80\x99s IT program and operations,\nincluding the development and enhancement (collectively referred to herein as development) of\napplications. The Director, DIT, reports to the FDIC\xe2\x80\x99s Chief Information Officer (CIO), who has\ncorporate-wide strategic responsibility for IT governance, investments, program management, and\ninformation security. DIT follows formal risk management and IT governance processes when\ndeveloping applications. Such processes include the Rational Unified Process systems development life\ncycle (SDLC) methodology and corporate policies and procedures that address such things as the\nenterprise architecture, data management, information security, privacy, configuration management, and\nquality assurance. In addition, the FDIC has established various governance bodies, such as the Capital\nInvestment Review Committee and the CIO Council, to provide oversight and control of application\ndevelopment initiatives that meet certain criteria.\n\nThe FDIC\xe2\x80\x99s business units also engage in application development activity and, in some cases, have\nestablished specialized IT support service units to perform the development work. Business unit-led\napplication development ranges from the building of simple applications with only a few users to\ncomplex applications with hundreds of users. Consequently, the cost of the applications can vary from a\nfew thousand dollars to over $1 million. Such development can also involve creating new data or\ncollecting sensitive information, such as personally identifiable information, that is used to support\nimportant business functions, such as large bank supervision, the marketing of failing banks, and human\nresources management.\n\nBusiness units fund their application development activities through their operational budgets. However,\nthere is no FDIC policy requirement for business units to track or report the costs of their development\nactivities to FDIC management officials, and business units did not do so. As a result, we were unable to\ndetermine the total amount spent on business unit-led application development at the FDIC. The majority\nof the FDIC\xe2\x80\x99s business unit-led application development occurs within the Division of Resolutions and\nReceiverships and the Division of Risk Management Supervision.\n\n\n\n\n                                                     i\n                              To view the full report, go to www.fdicig.gov\n\x0c  Executive Summary                 The FDIC\xe2\x80\x99s Controls over Business Unit-Led\n                                    Application Development Activities\n                                                                                    Report No. AUD-13-007\n                                                                                           September 2013\n\nIn January 2013, DIT began hosting a series of meetings with division and office representatives to\ndiscuss issues associated with business unit-led application development and to develop a corporate\npolicy and supporting guidance in this area. The corporate policy and guidance is intended to provide,\namong other things, criteria for identifying application development efforts that are appropriate for\nbusiness unit-led development, the IT governance processes that should apply, and the project activities\ninvolved.\n\nAudit Results\nBusiness unit-led application development provides the FDIC\xe2\x80\x99s divisions and offices with the flexibility\nto rapidly develop and deploy IT solutions to support information analysis and management decision-\nmaking. However, this type of development also presents risk because it has generally occurred outside\nof the FDIC\xe2\x80\x99s established risk management framework and IT governance processes that are designed to\nensure internal controls are addressed. Key risks associated with the FDIC\xe2\x80\x99s business unit-led application\ndevelopment activities that we identified during the audit include not:\n\n    \xef\x82\xb7   recording the applications in the FDIC\xe2\x80\x99s information systems inventory, thereby limiting the\n        FDIC\xe2\x80\x99s assurance that the applications are subject to appropriate risk management procedures and\n        oversight;\n\n    \xef\x82\xb7   subjecting development projects to appropriate IT governance processes, thus reducing the\n        FDIC\xe2\x80\x99s assurance that IT investment decisions are consistent with corporate and division goals\n        and priorities; and\n\n    \xef\x82\xb7   establishing appropriate SDLC standards, therefore limiting the FDIC\xe2\x80\x99s assurance that\n        applications are properly designed and tested, systems documentation is adequate, and\n        information security and privacy requirements are addressed.\n\nWe identified certain controls that were established by the FDIC\xe2\x80\x99s business units that mitigated, to some\nextent, the risks described above. Such controls included SDLC guidelines and procedures to guide\ncertain application development activities and committees to provide oversight of IT activities. However,\ncontrol improvements are needed in all three areas.\n\nRecommendations and Corporation Comments\nThe FDIC\xe2\x80\x99s planned corporate policy and related guidance on business unit-led application development\ncan promote a better understanding of this type of development activity and the associated risk\nmanagement procedures and IT governance processes that should apply. Our report contains three\nrecommendations addressed to the FDIC\xe2\x80\x99s Acting CIO that are intended to assist the FDIC with those\nongoing efforts. In general, the recommendations are aimed at establishing appropriate policies,\nprocedures, and guidance to ensure that applications are recorded in the Corporation\xe2\x80\x99s information\nsystems inventory, when appropriate; that business units have appropriate IT governance processes and\nSDLC standards; and that existing applications comply with FDIC security policies. The Acting CIO\nprovided a written response, dated September 6, 2013, to a draft of the report. In the response, the Acting\nCIO concurred with all three of the report\xe2\x80\x99s recommendations and described ongoing and planned actions\nto address the recommendations.\n\n                                                     ii\n                              To view the full report, go to www.fdicig.gov\n\x0c                                Contents\n\n                                                                     Page\nBackground                                                             2\n    Divisions Engaged in Business Unit-Led Application Development     3\n    Ongoing Efforts to Address Risks Associated with Business\n         Unit-Led Application Development                              3\n\nAudit Results                                                          5\n\n  Risks and Controls Related to Business Unit-Led Application\n  Development                                                          6\n     Information Systems Inventory                                     6\n     IT Governance                                                     7\n     Systems Development Life Cycle Standards                         10\n     Recommendations                                                  14\n\n\nCorporation Comments and OIG Evaluation                               15\n\nAppendices\n  1. Objectives, Scope, and Methodology                               16\n  2. Glossary of Terms                                                21\n  3. Acronyms and Abbreviations                                       25\n  4. Corporation Comments                                             26\n  5. Summary of the Corporation\xe2\x80\x99s Corrective Actions                  29\n\nTable: Sampled Applications                                           19\n\x0cFederal Deposit Insurance Corporation                                            Office of Audits and Evaluations\n3501 Fairfax Drive, Arlington, Virginia 22226                                         Office of Inspector General\n\n\nDATE:                                       September 11, 2013\n\nMEMORANDUM TO:                              Martin D. Henning\n                                            Acting Chief Information Officer\n\n\n                                            /Signed/\nFROM:                                       Stephen M. Beard\n                                            Deputy Inspector General for Audits and Evaluations\n\nSUBJECT:                                    The FDIC\xe2\x80\x99s Controls over Business Unit-Led Application\n                                            Development Activities (Report No. AUD-13-007)\n\n\nThis report presents the results of our performance audit of the FDIC\xe2\x80\x99s controls over\nbusiness unit-led application development1 activities. Although the FDIC has not yet\nadopted a formal definition of business unit-led application development, the term\ngenerally refers to the creation or enhancement of information technology (IT) solutions\nwhere the development is performed under the direction of an FDIC business division or\noffice (referred to herein as a business unit), rather than the Division of Information\nTechnology (DIT).\n\nThe objectives of the audit were to identify key risks associated with the FDIC\xe2\x80\x99s business\nunit-led application development activities and to determine the extent to which controls\nhave been established to mitigate those risks. Our work included interviewing officials in\nDIT and selected FDIC business units and reviewing available documentation for a non-\nstatistical sample of four applications.2 Two of these applications were developed by the\nDivision of Resolutions and Receiverships (DRR), and two were developed by the\nDivision of Risk Management Supervision (RMS). We reviewed these four applications\nto obtain an understanding of the associated development practices. We did not assess\nwhether the applications were properly designed or controls were properly implemented.\nWe reviewed one additional application developed by DIT for reference purposes. The\nresults of this audit will assist our office in fulfilling its information security program\nevaluation and reporting responsibilities under the Federal Information Security\nManagement Act of 2002 (FISMA).\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Appendix 1 of this report includes additional details on our\nobjectives, scope, and methodology; Appendix 2 contains a glossary of key terms;\n\n1\n Terms that are underlined when first used in this report are defined in Appendix 2, Glossary of Terms.\n2\n A non-statistical sample cannot be projected to the population. See Appendix 1 for a complete\ndescription of our sample selection and sampling methodology, including a Table listing the applications\nwe reviewed.\n\x0cAppendix 3 contains a list of acronyms and abbreviations; Appendix 4 contains the\nCorporation\xe2\x80\x99s comments on this report; and Appendix 5 contains a summary of the\nCorporation\xe2\x80\x99s corrective actions.\n\n\nBackground\nWithin the FDIC, DIT has primary responsibility for managing the FDIC\xe2\x80\x99s IT program\nand operations, including the development and enhancement (collectively referred to\nherein as development) of applications. The Director, DIT, reports to the FDIC\xe2\x80\x99s Chief\nInformation Officer (CIO), who has corporate-wide strategic responsibility for IT\ngovernance, investments, program management, and information security.3 DIT follows\nformal risk management and IT governance processes when developing applications.\nSuch processes include the Rational Unified Process\xc2\xae (RUP)\xc2\xae systems development life\ncycle (SDLC) methodology and corporate policies and procedures that address such\nthings as the enterprise architecture (EA), data management, information security,\nprivacy, configuration management, and quality assurance. In addition, the FDIC has\nestablished various governance bodies, such as the Capital Investment Review\nCommittee (CIRC) and the CIO Council, to provide oversight and control of application\ndevelopment initiatives that meet certain criteria.4 As of June 30, 2013, the CIRC was\noverseeing an application development budget of $18.45 million for 2013, and the CIO\nCouncil was overseeing an application development budget of $20.99 million for 2013.\n\nThe FDIC\xe2\x80\x99s business units also engage in application development activity and, in some\ncases, have established specialized IT support service units to perform the development\nwork.5 According to the FDIC Business Technology Strategic Plan: 2013-2017, this type\nof development activity provides the FDIC with the agility to address immediate business\nneeds with minimal resource demands on DIT. Business unit-led application\ndevelopment ranges from the building of simple applications with only a few users to\ncomplex applications with hundreds of users. Consequently, the cost of the applications\ncan vary from a few thousand dollars to over $1 million. Such development can also\ninvolve creating new data or collecting sensitive information, such as personally\nidentifiable information (PII), that is used to support important business functions, such\nas large bank supervision, the marketing of failing banks, and human resources\nmanagement.\n\n\n3\n  Prior to July 23, 2013, the positions of DIT Director and CIO were held by the same individual. On that\ndate, the FDIC implemented an organizational change separating these roles to enhance the IT area and\naddress a wide range of increasing IT security risks in the current global environment.\n4\n  The CIRC is responsible for approving and overseeing all capital investment projects, including IT\nprojects, with total investment budgets of $3 million or more or that are deemed to have a significant\ncorporate impact, regardless of cost. The CIO Council is responsible for approving and monitoring various\ntypes of IT projects, including application development projects.\n5\n  FDIC business units, rather than DIT, performed ongoing maintenance for the business unit-developed\napplications that we selected for review. Maintenance includes, among other things, changes to production\nsoftware to correct known problems and to prevent anticipated problems or inefficiencies.\n\n\n                                                    2\n\x0cBusiness units fund their application development activities through their operational\nbudgets. FDIC policy directives do not require business units to track or report the costs\nof their development activities to FDIC management officials, and no such costs were\nbeing tracked and reported. As a result, we were unable to determine the total amount\nspent on business unit-led application development at the FDIC.\n\nDivisions Engaged in Business Unit-Led Application Development\n\nBased on our discussions with DIT and business unit personnel, we determined that the\nmajority of business unit-led application development occurs within DRR and RMS.\nWithin DRR, the Business Information Services (BIS) section in Dallas, Texas, and the\nBusiness Program Management (BPM) section in Arlington, Virginia, perform the\ndevelopment. Within RMS, the Business Analysis and Decision Support (BADS) section\nin Washington, D.C., and personnel in the Regional Office Management Information\nGroups (ROMIGs) perform the development. A notable difference between DRR and\nRMS in their approach to application development is that DRR generally engages\ncontractors to perform the work, while RMS uses in-house personnel. In addition, DRR\nwas working to centralize its IT operations (including application development) by\nconsolidating BIS and BPM, while RMS\xe2\x80\x99 development activities remain decentralized.\nAt our request, DRR and RMS compiled listings of the applications they had developed\n(or were working to develop). DRR\xe2\x80\x99s listing contained 23 applications and RMS\xe2\x80\x99 listing\ncontained 53 applications. Most of these applications were developed using Oracle\xc2\xae\nApplication Express (APEX) or Microsoft\xc2\xae Access.6\n\nTo help mitigate the risks associated with business unit-led application development,\nDRR and RMS each entered into formal agreements with DIT that defined certain roles\nand responsibilities and other expectations regarding the use of one particular software\ndevelopment tool\xe2\x80\x94APEX. Specifically, RMS and DIT executed the FDIC Governance\nPlan for Implementation, Use and Support of Application Express (APEX) for DSC, dated\nDecember 2009 (RMS APEX Governance Plan),7 and DRR and DIT executed a\nMemorandum of Understanding for Use of Application Express (APEX) by the Division\nof Resolutions and Receiverships (DRR), dated December 2010 (DRR APEX MOU). In\ngeneral, these agreements contemplate the use of APEX for the rapid development and\ndeployment of simple applications, reports, and forms. No similar agreements were\nexecuted with other divisions or offices or for other software development tools.\n\nOngoing Efforts to Address Risks Associated with Business Unit-Led Application\nDevelopment\n\nDIT\xe2\x80\x99s 2012 Assurance Statement identifies business unit-led development and/or\nprocurements of IT systems, solutions, and/or processes outside of established IT\n6\n  FDIC business units may use other FDIC-approved IT development tools, such as the Statistical Analysis\nSystem (SAS) software, to develop applications. For security reasons, our report does not include the\nnames of the applications developed by RMS and DRR.\n7\n  Subsequent to the execution of this document, the FDIC\xe2\x80\x99s Division of Supervision and Consumer\nProtection (DSC) was reorganized into RMS and the Division of Depositor and Consumer Protection.\n\n\n                                                   3\n\x0cgovernance and control processes as a non-material challenge for 2013. The assurance\nstatement explains that modern organizations, including the FDIC, are challenged with\nbalancing end-user flexibility in the development of business products with the robust IT\nsecurity and compliance controls necessary to safeguard the often sensitive data that\nthose products utilize. According to the assurance statement, business unit-led\napplication development can create an environment that supports critical business\nprocesses, but these IT activities often do not satisfy FDIC\xe2\x80\x99s requirements for control,\ndocumentation, security, and reliability. The assurance statement adds that the ability of\nbusiness units to create their own applications outside of formal FDIC IT processes\ncreates significant security concerns and additional demands on DIT and business unit\nresources.\n\nIn our most recent information security program evaluation report required by FISMA,\nwe noted that development activity in FDIC\xe2\x80\x99s business units presents risk because the\ndevelopment occurs outside of formal risk management and IT governance processes.8\nWe recommended that the CIO coordinate with the FDIC\xe2\x80\x99s business divisions and offices\nto develop criteria that define when business unit-led application development efforts\nshould be incorporated into the FDIC\xe2\x80\x99s risk management framework and IT governance\nprocesses. The CIO concurred with the recommendation and agreed to submit a\ncorporate policy and supporting guidance to the FDIC\xe2\x80\x99s Division of Administration,\nwhich has responsibility for issuing corporate policy directives, by July 1, 2013.9\n\nIn January 2013, DIT began hosting a series of meetings with division and office\nrepresentatives to discuss issues associated with business unit-led application\ndevelopment and to develop a corporate policy and supporting guidance in this area.\nDuring the interdivisional meetings, it was recognized that:\n\n    \xef\x82\xb7   a better understanding of what constitutes an application for purposes of applying\n        risk management procedures and IT governance processes is needed.\n\n    \xef\x82\xb7   the FDIC has a duty to ensure that all business unit-led application development\n        efforts adhere to certain established practices and standards to ensure the solutions\n        meet agency business needs, are consistent with relevant risk management\n        policies, and comply with applicable federal laws and FDIC policies and\n        guidelines (including those related to information security).\n\n    \xef\x82\xb7   the level of risk management and IT governance applied to application\n        development should be commensurate with the risks and complexities of the\n        development efforts. In many cases, such as when business units develop simple\n        spreadsheets, databases, and reports, minimal risk management requirements\n        should apply.\n\n\n8\n  Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x942012 (Report No. AUD-13-003,\ndated November 5, 2012).\n9\n  DIT management subsequently extended this date to October 1, 2013.\n\n\n                                                4\n\x0cThe corporate policy and related guidance under development is intended to provide,\namong other things, criteria for identifying application development efforts that are\nappropriate for business unit-led development, the IT governance processes that should\napply, and the project activities (including security activities) involved.\n\n\nAudit Results\nBusiness unit-led application development provides the FDIC\xe2\x80\x99s divisions and offices with\nthe flexibility to rapidly develop and deploy IT solutions to support information analysis\nand management decision-making. However, this type of development also presents risk\nbecause it has generally occurred outside of the FDIC\xe2\x80\x99s established risk management\nframework and IT governance processes that are designed to ensure internal controls are\naddressed. Key risks associated with the FDIC\xe2\x80\x99s business unit-led application\ndevelopment activities that we identified during the audit include not:\n\n   \xef\x82\xb7   recording the applications in the FDIC\xe2\x80\x99s information systems inventory, thereby\n       limiting the FDIC\xe2\x80\x99s assurance that the applications are subject to appropriate risk\n       management procedures and oversight;\n\n   \xef\x82\xb7   subjecting development projects to appropriate IT governance processes, thus\n       reducing the FDIC\xe2\x80\x99s assurance that IT investment decisions are consistent with\n       corporate and division goals and priorities; and\n\n   \xef\x82\xb7   establishing appropriate SDLC standards, therefore limiting the FDIC\xe2\x80\x99s assurance\n       that applications are properly designed and tested, systems documentation is\n       adequate, and information security and privacy requirements are addressed.\n\nWe identified certain controls that were established by the FDIC\xe2\x80\x99s business units that\nmitigated, to some extent, the risks described above. Such controls included SDLC\nguidelines and procedures to guide certain application development activities and\ncommittees to provide oversight of IT activities. However, control improvements are\nneeded in all three areas.\n\nAs discussed earlier, the FDIC was working to develop a corporate policy and related\nguidance that is intended to promote a better understanding of what constitutes business\nunit-led application development and the associated risk management procedures and IT\ngovernance processes that should apply. Such policy and guidance is intended to be\ncommensurate with the risks and complexities of the development efforts. Our report\nincludes three recommendations intended to further the FDIC\xe2\x80\x99s ongoing efforts to\nestablish appropriate policies, procedures, and guidance over these activities.\n\n\n\n\n                                            5\n\x0cRisks and Controls Related to Business Unit-Led Application\nDevelopment\nWe identified key risks associated with the FDIC\xe2\x80\x99s business unit-led application\ndevelopment activities by reviewing relevant internal FDIC documents, such as DIT\xe2\x80\x99s\n2012 Assurance Statement and the FDIC Business Technology Strategic Plan: 2013-\n2017; interviewing DIT and business unit personnel; gaining an understanding of the\nFDIC\xe2\x80\x99s approach to this type of development; and researching industry guidance. We\ndetermined the extent to which controls were established to mitigate those key risks by\nreviewing FDIC policies, procedures, and guidance, the roles and responsibilities of IT\ngovernance bodies, and other relevant control activities; interviewing DIT and business\nunit personnel; and reviewing the FDIC\xe2\x80\x99s development practices for a sample of\napplications. A description of these key risks and controls, as well as actions that the\nFDIC can take to further mitigate the risks, follows.\n\nInformation Systems Inventory\n\nFISMA requires federal agencies, including the FDIC, to provide risk-based information\nsecurity protections for all of their information systems (including applications).\nEstablishing and maintaining a current, accurate, and complete inventory of information\nsystems can support agency efforts to address this risk management requirement and to\ndetermine where the agency\xe2\x80\x99s information security program should direct its resources.\nIn addition, the inventory can facilitate application portfolio analysis and reporting in\nsupport of IT governance processes and the EA. The FDIC currently uses the EA\nRepository (EA-Rep) as an inventory tool to record important information about the\nFDIC\xe2\x80\x99s applications, such as key business, technical, and contractor contacts, number of\nusers, security category, privacy impact, mission criticality, and supporting hardware and\nsoftware resources.\n\nA key risk associated with business unit-led application development is that applications\nmay not be recorded in the FDIC\xe2\x80\x99s information systems inventory, thereby limiting the\nFDIC\xe2\x80\x99s assurance that such applications are subject to appropriate risk management\nprocedures and oversight.10 The inventory helps the FDIC ensure that business unit-led\napplications containing sensitive or privacy information are properly identified as such\nand aggregated under a general support system (GSS) or major application for purposes\n\n\n\n\n10\n   According to FISMA, information security protections should be commensurate with the risk and\nmagnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or\ndestruction of information and information systems. FISMA also requires agencies to maintain an\ninventory of major information systems (44 U.S.C. \xc2\xa7 3505(c)). The FDIC uses application information in\nthe EA-Rep to satisfy that requirement.\n\n\n                                                     6\n\x0cof applying security oversight.11 Such oversight includes testing and evaluation of\nsecurity controls, authorizations to operate, and acceptance of residual risk.\n\nOn December 15, 2010, DIT issued Policy Number 10-004, Policy on Maintaining the\nEnterprise Architecture Repository (EA-REP). The policy establishes responsibilities for\nensuring that information in the EA-Rep is accurate, complete, and up-to-date. However,\nthe policy is targeted to DIT employees and the systems and applications that are\ndeveloped or supported by DIT, and does not specifically reference applications\ndeveloped by the FDIC\xe2\x80\x99s business units. The RMS APEX Governance Plan requires that\nall APEX applications developed by RMS be recorded in the EA-Rep. The DRR APEX\nMOU does not contain this specific requirement but does require DRR to ensure\ncompliance with DIT policies and standards.\n\nWe reviewed the EA-Rep and found that it did not contain APEX applications developed\nby DRR\xe2\x80\x99s BIS or RMS. In addition, the EA-Rep did not contain one of the two RMS\napplications in our sample that was developed with Microsoft\xc2\xae Access.12 Although the\nEA-Rep contained APEX applications developed by DRR\xe2\x80\x99s BPM, we noted that those\napplications, as well as APEX applications developed by DIT, were not consistently\nidentified as APEX applications in the EA-Rep. These inconsistencies limited the\nFDIC\xe2\x80\x99s assurance that the population of APEX applications recorded in the EA-Rep was\ncomplete. Further, neither DRR nor RMS maintained a single authoritative inventory of\nthe applications they developed.13\n\nThe FDIC can mitigate the risks described above by including language in its planned\npolicy on business unit-led application development that requires business units to ensure\ntheir applications are recorded in the FDIC\xe2\x80\x99s information systems inventory, when\nappropriate.\n\nIT Governance\n\nEffective IT governance processes help ensure that management\xe2\x80\x99s expectations are met\nand that relevant risks are mitigated. The FDIC\xe2\x80\x99s formal IT governance structure consists\nof governance bodies, including the CIRC and CIO Council; corporate policies,\nprocedures, and guidance; and the FDIC Business Technology Strategic Plan: 2013\xe2\x80\x93\n2017. At the business unit level, RMS established the RMS IT Portfolio Review\nCommittee (PRC) in April 2004 to advise RMS\xe2\x80\x99 executive management on the selection\n\n11\n   FDIC security plans for minor applications identify the GSS or major application that provides the\nmajority of security controls for the minor application. Security testing of minor applications is then\ncovered by (or \xe2\x80\x9caggregated under\xe2\x80\x9d) the security testing of the associated GSS or major application. This\nprocess of aggregating minor applications under a GSS or major application represents a cost-effective\nalternative to conducting separate security procedures for individual applications. However, the process\nrequires that DIT be aware of the minor applications, and the inventory facilitates this awareness.\n12\n   We also identified two Microsoft\xc2\xae Access applications supported by DRR\xe2\x80\x99s BPM that were not in the\nEA-Rep.\n13\n   DRR maintained an inventory of APEX applications developed by DRR BIS on a SharePoint site. Other\nlists of DRR applications were also stored on DRR\xe2\x80\x99s Intranet site.\n\n\n                                                   7\n\x0cand monitoring of important new IT development projects. In addition, DRR established\nthe DRR Systems Governance Board (SGB) in October 2011 to oversee its IT activities,\nincluding the approval of rapid application development projects and the resources\nneeded to support those projects.\n\nA key risk associated with business unit-led application development is that it may not be\nsubject to appropriate IT governance processes, thus reducing the FDIC\xe2\x80\x99s assurance that\nIT investment decisions are consistent with corporate and division goals and priorities.\nFor example, business units may design applications that duplicate existing functionality\nor data, resulting in unnecessary costs and inefficiencies. Inadequate IT governance\nprocesses may also result in unexpected delays to IT projects that have been approved\nthrough formal processes if DIT needs to divert resources to address unanticipated issues\nwith applications developed by business units.\n\nAn important component of IT governance is the formal review and approval of\ndevelopment proposals to ensure they satisfy corporate and division goals and priorities.\nNeither of the development proposals for the two DRR applications that we selected for\nreview had been reviewed or approved by the SGB because it was established after the\napplications were initially developed. However, DRR officials informed us that the SGB\nnow reviews business unit-led development proposals. We were provided with a\ntemplate used to prepare such development proposals and an example of SGB meeting\nminutes showing that the SGB had discussed the justification and level of effort for a\nmore recent application development effort. A DRR official informed us that the division\nwas working to document its end-to-end IT governance processes.\n\nWith respect to the two RMS applications that we reviewed, an RMS official informed us\nthat the PRC did not review one of the applications because it was developed with APEX\nand the PRC does not review APEX development proposals.14 RMS officials thought\nthat the remaining application may have been reviewed by the PRC but were not able to\nlocate any documentation pertaining to a PRC review of the application. In addition,\nbecause the PRC did not maintain meeting minutes, we were unable to determine the\nextent to which RMS application development efforts were reviewed and discussed by\nthe PRC. An RMS official informed us that RMS plans to expand the responsibilities of\nthe PRC to include additional oversight of business unit-led application development\nprojects.\n\nThe agreements between DRR, RMS, and DIT on APEX were intended to help guide and\ncontrol APEX development activities. The agreements noted the need for collaboration\nand communication between DIT and the divisions to ensure effective development.\nHowever, DIT, DRR, and RMS officials informed us that communication between the\nbusiness units and DIT regarding the use of the APEX tool was not always effective. As\na result, DIT was not aware of the extent to which APEX development activities were\ntaking place in the business units.\n\n\n14\n     Of the 53 applications that RMS developed (or were working to develop), 11 were APEX applications.\n\n\n                                                     8\n\x0cAnother important component of IT governance is the formal management decision to\nauthorize the deployment of an application into the production environment based on an\nindependent verification that all required application development activities have taken\nplace. DRR had various written guidelines15 and work products pertaining to the review\nand authorization of its application deployment activities. However, RMS had not\ndeveloped written guidelines or work products that addressed those activities. An RMS\nofficial informed us that applications and reports that are expected to become permanent\nor reach a significant user base are tested by developers and pilot users, and receive RMS\nmanagement approval before they are placed into production.\n\nCost management, including comparing projected costs and benefits to actual results, is\nalso a fundamental tenet of IT governance. As previously discussed, there is no FDIC\npolicy requirement for business units to track and report the costs of their application\ndevelopment activities to FDIC management officials. However, at our request, DRR\nofficials estimated that about $8.3 million in contractor resources were expended to\ndevelop and maintain 14 APEX applications during the period September 2010 through\nJune 2013.16 Notably, estimated contract expenditures for 4 of the 14 applications\nexceeded $1 million each, the highest of which was $1.54 million. RMS used in-house\npersonnel, rather than contractors, to develop its APEX applications. RMS did not track\nthe in-house costs of its application development efforts. Further, although DRR\xe2\x80\x99s BIS\nestimated the cost of in-house personnel involved in developing individual APEX\napplications, DRR\xe2\x80\x99s BPM did not. Because DRR and RMS funded application\ndevelopment through their operational budgets, the costs were not subject to CIO Council\noversight.\n\nThe FDIC can strengthen its controls over business unit-led application development\nactivities by including language in the planned corporate policy requiring business units\nto develop and document appropriate IT governance processes. Such processes should\naddress the review and approval of development proposals, the decision-making process\nto authorize the deployment of applications into the production environment, and the\ntracking and reporting of application development costs. Such processes should also be\nscaled to the risk and complexity of the development activities involved so as not to\nunduly impede the ability of business units to address low risk (as determined by the\nsignificance of the functionality and sensitivity of the data being processed and\nmaintained) reporting, analytical, and automation needs.\n\n\n\n\n15\n   The guidelines included the FDIC Business Information Systems (BIS) Configuration Management \xe2\x80\x93\nChange Control Guide Version 1.0, dated November 30, 2011; the Business Information Systems (BIS)\nConfiguration Management Plan, Version 1.0, dated September 25, 2012; and the FDIC PRR\nConfiguration Management Plan Version: 1.0, dated December 5, 2012.\n16\n   At the close of our audit, we were informed that DRR planned to procure significant contractor support\nfor business unit-led application development, maintenance, and operational support as well as expert\nresources in WebFocus.\n\n\n                                                     9\n\x0cSystems Development Life Cycle Standards\n\nThe SDLC is the process of managing information systems from initiation, analysis,\ndesign, implementation, and maintenance, to disposal. The National Institute of\nStandards and Technology (NIST) recommends that federal agencies have a documented\nand repeatable SDLC policy and guideline that support the agencies\xe2\x80\x99 business needs and\ncomplement their unique culture.17 In addition, our review of industry research in this\narea indicates that some leading organizations are creating processes to set standards for\nsourcing, developing, and deploying IT, to be applied throughout the enterprise. These\norganizations then assess and recognize (through training and accreditation) staff outside\nof the formal IT organization that need or want to have the necessary capabilities and\napproach to meet those standards. According to the research, this approach provides\nCIOs with increased assurance that appropriate standards of agility, architectural\ncompliance, maintainability, and security are followed throughout the organization.\n\nDIT Policy Number 07-005, Systems Development Life Cycle, states that DIT has adopted\na customized RUP\xc2\xae SDLC methodology to meet the FDIC\xe2\x80\x99s specific requirements for\napplication development. RUP\xc2\xae contains process roadmaps that provide step-by-step\nactivities for development projects of varying size, type, risk, and complexity.\nApplications developed by the FDIC\xe2\x80\x99s business units are not required to follow RUP\xc2\xae,\nand DRR and RMS have developed their own approach to application development. In\naddition, both divisions have an information security manager (ISM) who is responsible\nfor assisting application development teams in addressing information security and\nprivacy requirements.\n\nA key risk associated with business unit-led application development is that business\nunits may not establish appropriate written SDLC standards, therefore limiting the\nFDIC\xe2\x80\x99s assurance that:\n\n     \xef\x82\xb7   applications are properly designed and tested to ensure they operate as intended,\n\n     \xef\x82\xb7   systems documentation is sufficient to support effective maintenance, and\n\n     \xef\x82\xb7   security and privacy requirements are addressed.\n\nSDLC Standards\n\nSDLC standards, which are defined through written procedures and guidelines and\ndocumented work products, provide an important control for ensuring that application\ndevelopment processes are repeatable, consistent, and disciplined and for reducing\noperational risk associated with changes in staff. Training can provide increased\n\n17\n   See NIST Special Publication 800-64, Revision 2, Security Considerations in the System Development\nLife Cycle, dated October 2008. This publication helps address requirements in FISMA that federal\nagencies, including the FDIC, have policies and procedures to ensure that information security is addressed\nthroughout the life cycle of their information systems.\n\n\n                                                    10\n\x0cassurance that SDLC standards are properly implemented. Although we did not include\ntraining within the scope of this audit, we did recommend in our 2012 information\nsecurity program evaluation report that the CIO update the FDIC\xe2\x80\x99s IT security training\nplan to clarify the FDIC\xe2\x80\x99s approach for addressing the corporate-wide information\nsecurity training needs of individuals with significant information security\nresponsibilities. Such individuals can include business unit personnel engaged in\napplication development. As described below, DRR and RMS had not developed a\npolicy addressing SDLC standards for their business unit-led application development,\nestablished consistent written SDLC standards, or designated a standard repository to\nstore their application code and software documentation.\n\nIn July 2011, DRR issued high-level SDLC guidance to supplement the DRR APEX\nMOU. Subsequently, in 2012, DRR\xe2\x80\x99s BPM and BIS separately developed informal\nSDLC guidelines. Although these guidelines were based on DIT\xe2\x80\x99s RUP\xc2\xae methodology,\ntheir content and level of specificity differed. Specifically, BPM\xe2\x80\x99s Client Development\nGuidelines defined key application development phases and activities, required work\nproducts, and roles and responsibilities, while BIS\xe2\x80\x99s DRR SDLC - Rapid RUP\xc2\xae provided\nmore limited process guidance. In addition, neither of the guidelines adequately\naddressed procedures for documenting consideration and implementation (as necessary)\nof requirements pertaining to the EA and Section 508 accessibility.18 Further, DRR\nofficials informed us that the division had selected StarTeam\xc2\xae as its standard repository\nfor storing business unit developed application code and software documentation.19 DRR\nofficials also informed us that they were working to develop formal SDLC guidelines to\npromote consistency in DRR\xe2\x80\x99s application development activities.\n\nRMS did not have written SDLC guidelines to govern its application development\nactivities. However, we noted that RMS developers had various documentation\nindicating certain change management and quality assurance testing activities had been\nperformed prior to the deployment of the applications we reviewed. In addition, RMS\nstored its business unit-developed application code and software documentation on\nvarious shared drives or in StarTeam\xc2\xae. However, RMS had not formally designated a\nstandard repository for storing this information.\n\nThe written agreements between DRR, RMS, and DIT regarding the use of APEX also\nprovide some SDLC guidance. However, the agreements address only those applications\n\n\n\n\n18\n   See FDIC Circulars 1303.1, FDIC Enterprise Architecture Program, dated June 16, 2008, and 2711.1,\nElectronic and Information Technology (EIT) Accessibility Pursuant to Section 508 of the Rehabilitation\nAct, dated September 27, 2007. It is generally the responsibility of application developers in the business\nunits to coordinate with DIT subject matter experts to ensure requirements pertaining to the EA and Section\n508 are addressed. DIT personnel advised us that guidance was being developed to facilitate compliance\nwith Section 508 requirements, as applicable, for all FDIC applications.\n19\n   DIT also uses StarTeam\xc2\xae as a repository of application code and software documentation (including\ncopies of security and privacy-related work products).\n\n\n                                                    11\n\x0cdeveloped with APEX and do not adequately address the development-related controls\ndescribed in this report. Such controls include ensuring that:\n\n   \xef\x82\xb7   applications are designed to align with the FDIC\xe2\x80\x99s current and target EA;\n\n   \xef\x82\xb7   data duplication and redundant processes are mitigated to the extent possible;\n\n   \xef\x82\xb7   software components are uniquely identified, consistently stored, subject to\n       appropriate version control and change control processes, and adequately tested\n       and reviewed prior to implementation;\n\n   \xef\x82\xb7   applications are Section 508 compliant, that is, they are as accessible to persons\n       with disabilities, including employees and members of the public, as they are for\n       persons without disabilities; and\n\n   \xef\x82\xb7   applications are reviewed for sensitivity and that sensitive information is\n       adequately protected from unauthorized access or modification.\n\nAbsent appropriate written SDLC standards to guide application development in the\nbusiness units, there is an increased risk that applications will not be properly designed or\ntested as intended or that systems documentation will not be sufficient to support\neffective maintenance.\n\nInformation Security and Privacy\n\nImportant controls for ensuring that information security and privacy are integrated into\napplications include sensitivity assessments, privacy reviews, security planning, access\ncontrol reviews, and separation of duties. FDIC Circular 1310.3, Information Technology\nSecurity Risk Management Program, dated July 6, 2005, states that all FDIC applications\nmust undergo a sensitivity assessment to examine the sensitivity level of the information\nthey process and determine their security category. This assessment is documented in an\nApplication Security Assessment (ASA). The FDIC has also established policies and\nprocedures requiring divisions and offices to complete a privacy questionnaire, referred\nto as a Privacy Threshold Analysis (PTA), whenever new systems or applications are\ndeveloped or acquired. The PTA is used to determine whether a statutory Privacy Impact\nAssessment (PIA) is required.\n\nIn addition, Circular 1310.3 states that a security plan shall be developed and tested for\nall sensitive applications. Security plans provide an overview of the application or\nsystem security requirements and describe the controls that are planned or in place to\nmeet those requirements. Further, FDIC Circular 1360.15, Access Control for\nInformation Technology Resources, dated February 27, 2009, requires periodic reviews\nof access to ensure consistency with existing authorizations and current business needs.\nIt also addresses the concept of separation of duties.\n\n\n\n\n                                             12\n\x0cAn ASA, PTA, and security plan were prepared for each of the two DRR applications\nthat we selected for review. In addition, an ASA, PTA, and security plan were prepared\nfor one of the two RMS applications that we reviewed. However, the ASA and security\nplan for this RMS application were drafted in late 2011, but not finalized, reviewed, and\napproved by the RMS ISM until May 2013, approximately 1 year after the application\nwas placed into the production environment. The RMS ISM informed us that APEX\napplications and applications developed in the RMS regional offices are subject to ISM\nreview only upon request by the development teams.20 An ASA and PTA were not\nprepared for the remaining RMS application that we reviewed because the system\nmanager was not aware of the policy requirements for these work products. We were\ninformed that this application contains sensitive information. As a result, it may require a\nsecurity plan depending on the results of an ASA, and/or a PIA depending on the results\nof a PTA.\n\nAs of the close of our audit, DRR officials had not provided ASAs or security plans for\ntheir APEX applications to DIT\xe2\x80\x99s Information Security and Privacy Staff (ISPS). DRR\nofficials indicated that they were awaiting guidance from DIT\xe2\x80\x99s ISPS regarding the\nsubmission of these documents. RMS recently provided such work products to DIT\xe2\x80\x99s\nISPS. DIT\xe2\x80\x99s ISPS uses information from these work products, along with the systems\ninventory, to help ensure that security for minor applications, including those developed\nby the FDIC\xe2\x80\x99s business units, is coordinated with the security oversight of GSSs and\nmajor applications. We noted that the aggregation of security plans to GSSs by DRR,\nRMS, and DIT was inconsistent for the four APEX applications that we reviewed,\nlimiting the FDIC\xe2\x80\x99s assurance that these applications are subject to appropriate security\noversight.21\n\nFurther, DRR had established written access control procedures that addressed access\nreviews for all of the division\xe2\x80\x99s applications, including those developed under the\ndivision\xe2\x80\x99s direction. Although an RMS official provided us with a guideline and some\nexamples of periodic access control reviews for one of our sampled applications, RMS\nhad not established written access control procedures covering all their business unit-\ndeveloped applications. Access control reviews involve periodically verifying that user\naccounts are properly authorized and confirming that specific permissions granted remain\nappropriate. Completing such reviews, which are consistent with the security principle of\nleast privilege, provides assurance that users remain in appropriate roles and status and\nthat only appropriate users have administrative access.\n\n20\n   According to the RMS ISM, an ASA, PTA, and security plan (if applicable) have been completed for 2\nof the 11 APEX applications developed or under development by RMS. The RMS APEX Governance Plan\ndoes not specifically require the completion of an ASA, PTA, or security plan for RMS APEX applications.\nHowever, it does contain a general requirement that RMS complete and submit the security work products\nnecessary to satisfy regulatory mandates.\n21\n   The two DRR applications we reviewed were primarily aggregated to the Enterprise Data Management\nGSS, and the RMS application was primarily aggregated to the Windows Server GSS. The DIT application\nwas aggregated to the Midrange Servers GSS. The RMS APEX Governance Plan indicates that all APEX\napplications developed by RMS should be aggregated to the Enterprise Data Management GSS. The DRR\nAPEX MOU does not contain guidance regarding aggregation.\n\n\n                                                  13\n\x0cSeparation of duties in the context of systems development involves having different\nindividuals performing key functions (e.g., programming and maintenance). Such a\ncontrol is important for mitigating the risk of malevolent IT activities, improper program\nchanges, and unauthorized access to sensitive information. We noted that DRR had\nestablished controls to restrict application development personnel from accessing the\nproduction environment. However, separation of duties for the two RMS applications we\nreviewed were not adequate because the personnel responsible for developing the\napplication code were also responsible for transferring the code into, and had access to\nthe code in, the production environment. We were also informed that RMS\xe2\x80\x99 APEX\ndevelopment and quality assurance activities were performed by developers in a pre-\nproduction environment on a production server that is separate from the application\nworkspaces and data used for production.\n\nThe FDIC can achieve increased assurance that security and privacy requirements are\naddressed in business unit-led application development by establishing controls to\naddress the issues described in this report.\n\n\nRecommendations\n\nWe recommend that the Acting CIO:\n\n1. Include language in the planned corporate policy on business unit-led application\n   development that requires FDIC business units to:\n\n       a) coordinate with DIT to ensure that applications developed by business units\n          are recorded in the Corporation\xe2\x80\x99s information systems inventory, when\n          appropriate; and\n\n       b) develop written IT governance processes that address the review and approval\n          of development proposals, the decision-making process for authorizing the\n          deployment of applications to the production environment, and the tracking\n          and reporting of application development costs.\n\n2. Coordinate with FDIC business units involved in application development to establish\n   appropriate written SDLC standards that are consistent with applicable laws, policies,\n   and guidelines, and commensurate with the risks and complexity of their development\n   activities.\n\n3. Coordinate with DRR and RMS to ensure that existing applications developed under\n   the divisions\xe2\x80\x99 direction comply with FDIC security policies pertaining to sensitivity\n   assessments, privacy reviews, security plans, access control reviews, and separation\n   of duties.\n\n\n\n\n                                            14\n\x0cCorporation Comments and OIG Evaluation\nThe Acting CIO provided a written response, dated September 6, 2013, to a draft of this\nreport. The response is presented in its entirety in Appendix 4. In the response, the\nActing CIO concurred with all three of the report\xe2\x80\x99s recommendations and described\nongoing and planned actions to address the recommendations.\n\nA summary of the Corporation\xe2\x80\x99s corrective actions is presented in Appendix 5. The\nongoing and planned actions are responsive to the recommendations, and the\nrecommendations are resolved.\n\n\n\n\n                                           15\n\x0c                                                                                           Appendix 1\n\n                Objectives, Scope, and Methodology\nObjectives\n\nThe objectives of the performance audit were to identify key risks associated with the\nFDIC\xe2\x80\x99s business unit-led application development activities and to determine the extent\nto which controls have been established to mitigate those risks.\n\nWe conducted this performance audit from January 2013 to July 2013 in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\nScope and Methodology\n\nWe identified key risks associated with the FDIC\xe2\x80\x99s business unit-led application\ndevelopment activities by reviewing relevant internal FDIC documents, interviewing DIT\nand business unit personnel, and researching industry guidance. We determined the\nextent to which controls were established to mitigate those key risks by reviewing\nrelevant FDIC policies, procedures, and guidance, the role of IT governance bodies, and\nother relevant control activities; interviewing DIT and business unit personnel; and\nreviewing the FDIC\xe2\x80\x99s development practices for a sample of applications. Our work\nrelated to controls was limited to determining the extent to which policies, procedures,\nreports, IT governance bodies, and other relevant control activities were in place. We did\nnot assess whether these controls were effectively implemented or operating as intended.\n\nTo achieve the audit objectives, we performed the following procedures:\n\n\xef\x82\xb7    Interviewed personnel in RMS, DRR, DIT, the Division of Depositor and Consumer\n     Protection, Division of Insurance and Research, Division of Finance, and Division of\n     Administration who were involved with business unit-led application development to\n     obtain their perspectives on relevant risks, controls, development practices, tools, and\n     costs.\n\n\xef\x82\xb7    Obtained an understanding of corporate and division-level policies22 and procedural\n     guidance related to application development by reviewing the following:\n\n             o FDIC Circular 1303.1, FDIC Enterprise Architecture Program\n             o FDIC Circular 1301.3, Enterprise Data Management Program\n             o FDIC Circular 1310.3, Information Technology Security Risk Management\n               Program\n22\n   In general, these FDIC policies are founded on legislative requirements or on standards and guidance\nissued by NIST.\n\n\n                                                    16\n\x0c                                                                                           Appendix 1\n\n                 Objectives, Scope, and Methodology\n             o   FDIC Circular 1360.8, Information Security Categorization\n             o   FDIC Circular 1320.4, FDIC Software Configuration Management Policy\n             o   FDIC Circular 1360.18, FDIC Software Quality Assurance Policy\n             o   FDIC Circular 2711.1, Electronic and Information Technology (EIT)\n                 Accessibility Pursuant to Section 508 of the Rehabilitation Act\n             o   DIT Policy Number 07-005, Policy: Systems Development Life Cycle\n             o   DIT Policy Number 10-004, Policy on Maintaining the Enterprise\n                 Architecture Repository (EA-REP)\n             o   FDIC Governance Plan for Implementation, Use and Support of\n                 Application Express (APEX) for DSC\n             o   Memorandum of Understanding for Use of Application Express (APEX)\n                 by the Division of Resolutions and Receiverships (DRR)\n             o   DRR Business Program Management Section (BPMS) Client\n                 Development Guideline\n             o   DRR Business Information System\xe2\x80\x99s DRR SDLC \xe2\x80\x93 Rapid RUP\xc2\xae\n             o   DRR APEX Software Development process guidance\n\n\xef\x82\xb7    Reviewed internal FDIC documents, such as the FDIC Business Technology Strategic\n     Plan 2013-2017 and DIT\xe2\x80\x99s 2012 Assurance Statement submitted pursuant to the\n     Federal Managers\xe2\x80\x99 Financial Integrity Act,23 the Chief Financial Officers Act of\n     1990,24 and FDIC Circular 4010.3, FDIC Enterprise Risk Management Program, for\n     information about risks related to business-unit led application development.\n\n\xef\x82\xb7    Reviewed industry guidance, such as the Institute of Internal Auditors\xe2\x80\x99 June 2010\n     publication, entitled Global Technology Audit Guide (GTAG\xc2\xae) 14, Auditing User-\n     developed Applications; analysis and recommended best practices developed by a\n     recognized IT research and advisory company; and NIST Special Publication 800-64,\n     Revision 2, Security Considerations in the System Development Life Cycle, dated\n     October 2008; for information about risks and controls related to business-unit led\n     application development.\n\n\xef\x82\xb7    Observed interdivisional meetings held to develop policy and guidance associated\n     with business unit-led application development to obtain an understanding of\n     potential risks and controls related to such development.\n\n\xef\x82\xb7    Obtained and reviewed available information regarding the number of applications\n     developed by DRR and RMS and the associated costs. The purpose of this procedure\n\n23\n  Pub. L. 97-255, codified to 31 U.S.C. \xc2\xa7 3512.\n24\n  Section 306 of the Chief Financial Officers Act (Pub. L. 101-576, codified to 31 U.S.C. \xc2\xa7 9106) requires\ngovernment corporations, such as the FDIC, to submit annual management reports to the Congress that\ninclude a statement on internal accounting and administrative controls consistent with the Federal\nManagers\xe2\x80\x99 Financial Integrity Act. The statement is included in the FDIC\xe2\x80\x99s Annual Report, for which\nDIT\xe2\x80\x99s Assurance Statement serves as input.\n\n\n                                                    17\n\x0c                                                                                             Appendix 1\n\n                 Objectives, Scope, and Methodology\n     was to obtain an understanding of the extent to which business units in these divisions\n     engage in application development activities.\n\n\xef\x82\xb7    Selected a non-statistical sample25 of four applications developed by DRR and RMS\n     operating in the production environment as of April 11, 2013 from a population of\n     business-developed applications identified by DRR and RMS, which consisted of 7\n     DRR applications and 14 RMS applications.26 Because DRR and RMS did not\n     maintain official information systems inventories, we were unable to verify that the\n     population provided to us was complete. We reviewed the four applications to obtain\n     an understanding of the IT governance, application development practices, and\n     controls employed by FDIC\xe2\x80\x99s business units to develop the applications. We did not\n     assess whether the applications were adequately designed or whether development\n     policies, procedures, and guidance had been properly implemented.\n\n     We judgmentally selected the four applications based on whether they met one or\n     more of the following criteria:\n\n         o   Received data from, or provided data to, a major application\n         o   Contained PII or other sensitive information\n         o   Supported more than 100 users\n         o   Involved a development time of two months or more\n         o   Used data owned by another FDIC division\n\nFor reference purposes, we also judgmentally selected one of six APEX applications\ndeveloped by DIT for the business divisions in the years 2008 through 2013. We selected\nthe application because it contained PII or other sensitive information and had more than\none software version. The table below identifies the applications that we selected.\n\n\n\n\n25\n   The results of a non-statistical sample cannot be projected to the intended population by standard\nstatistical methods.\n26\n   This population is a subset of the total universe of 16 and 53 business-developed applications identified\nby DRR and RMS, respectively, at the time our audit sample was selected. The population included only\nthose applications in the production environment developed using APEX or Microsoft Access/Structured\nQuery Language Server, as we considered applications developed with these tools to potentially have\nhigher risk. As of August 30, 2013, DRR informed us that, after further review, its universe of business-\ndeveloped applications totaled 23 (as opposed to the 16 referenced above when our sample was taken).\n\n\n                                                     18\n\x0c                                                                                             Appendix 1\n\n                Objectives, Scope, and Methodology\nTable: Sampled Applications\n  Application\n                                           Application\n   Number           Developed By                                     Application Description\n                                             Type\n\n 1                 DRR\xe2\x80\x99s BIS            APEX                  Tracks the inventory and status of the\n                                                              marketing and management of ORE assets\n                                                              assigned to ORE contractors.\n\n 2                 DRR\xe2\x80\x99s BPM            APEX                  Tracks DRR employees, positions, and\n                                                              vacancies through the onboarding process.\n 3                 RMS\xe2\x80\x99 BADS            APEX                  Automates the forms used for performance\n                                                              management and recognition of all pre-\n                                                              commissioned examiners.\n 4                 RMS\xe2\x80\x99 ROMIGs          Microsoft Access/     Captures RMS\xe2\x80\x99 quarterly analysis of\n                                        Structured Query      insured depository institutions with assets\n                                        Language Server       greater than $10 billion.\n 5                 DIT                  APEX                  Tracks the status of background\n                                                              investigations for employees and\n                                                              contractors.\nSource: Listings of DRR- and RMS-developed applications provided by DRR and RMS personnel,\nrespectively, and a listing of DIT-developed APEX applications provided by DIT personnel. We refer to each\napplication sampled by number (versus application name) for security purposes.\n\nFor the applications selected, we interviewed DRR, RMS, and DIT development\npersonnel (as applicable). We also obtained and reviewed available SDLC\ndocumentation maintained in various repositories, including shared folders, SharePoint\nsites, and StarTeam. In general, this documentation related to application development\nactivities that occurred during the period April 2010 through May 2013. We performed\nthese audit procedures to determine whether DRR and RMS had established, through\nwritten policies, procedures, and guidance, controls designed to mitigate the key risks we\nidentified related to business unit-led application development.\n\nWe performed our audit work at the FDIC\xe2\x80\x99s offices in Dallas, Texas, and Arlington,\nVirginia.\n\nInternal Control, Reliance on Computer-processed Information,\nPerformance Measurement, and Compliance with Laws and Regulations\n\nAs described in the Scope and Methodology section of this Appendix, we performed\naudit procedures to identify and obtain an understanding of the FDIC\xe2\x80\x99s established\ninternal controls related to business unit-led application development activities.\nHowever, consistent with our audit objectives, we did not assess the implementation or\neffectiveness of those controls or the adequacy of the FDIC\xe2\x80\x99s overall internal control or\nmanagement control environment. Our report identifies certain internal control gaps\nwarranting management\xe2\x80\x99s attention.\n\n\n                                                   19\n\x0c                                                                              Appendix 1\n\n              Objectives, Scope, and Methodology\nWe did not rely on automated information from the FDIC\xe2\x80\x99s information systems that\nwere significant to our audit objectives, conclusions, or findings. Accordingly, we did\nnot assess the effectiveness of information system controls.\n\nThe Government Performance and Results Act of 1993 (the Results Act), as amended,\ndirects Executive Branch agencies to develop a customer-focused strategic plan, align\nagency programs and activities with concrete missions and goals, and prepare and report\non annual performance plans. We did not assess the strengths and weaknesses of the\nFDIC\xe2\x80\x99s annual performance plans in meeting the requirements of the Results Act because\nsuch an assessment was not significant to the audit objectives.\n\nRegarding compliance with laws and regulations, our report identifies gaps in controls\nthat, if not addressed, could result in non-compliance with federal statutes, such as the E-\nGovernment Act of 2002\xe2\x80\x94particularly Section 208 regarding privacy impact\nassessments and title III (also known as FISMA) regarding information security. In\naddition, we assessed the risk of fraud and abuse related to our objectives in the course of\nevaluating audit evidence.\n\n\n\n\n                                             20\n\x0c                                                                                  Appendix 2\n\n                            Glossary of Terms\n     Term                                           Definition\n\nApplication       Per FDIC Circular 1360.18, FDIC Software Quality Assurance Policy, the\n                  aggregate of information technology that processes, stores, and/or transmits\n                  information to satisfy client requirements, such as the need to inventory and\n                  track the marketing and management of assets.\n\nApplication       An examination of the sensitivity level of the information processed by an\nSecurity          application to determine the application\xe2\x80\x99s security category. This security\nAssessment        category indicates the potential impact on the FDIC\xe2\x80\x99s mission if the\n(ASA)             confidentiality, integrity, and/or availability of the system and its data were\n                  compromised.\n\nAssurance         As part of the process for preparing the FDIC\xe2\x80\x99s Annual Report (see 31\nStatement         U.S.C. \xc2\xa7 3516(b)), division and office directors provide assurance to the\n                  FDIC Chairman after considering their division\xe2\x80\x99s or office\xe2\x80\x99s overall\n                  activities in conjunction with the results of management\xe2\x80\x99s on-going\n                  evaluations of internal control operations, programs, and systems along with\n                  the results of audits and reviews conducted by the FDIC OIG, GAO, or\n                  external firms. The assurance is communicated in the form of an assurance\n                  statement that addresses compliance with applicable internal control\n                  standards.\n\nBusiness Unit-    The creation or enhancement of IT solutions where the development is\nLed Application   performed under the direction of an FDIC business unit.\nDevelopment\nConfiguration     The technical and administrative process to identify, document, and\nManagement        maintain configuration item integrity, control configuration item changes,\n                  and record and report on configuration item change processing status. A\n                  configuration item is a unit or aggregate of documentation, software and/or\n                  hardware that is designated for configuration management.\n\nEnterprise        Describes the current and desired future state of the Corporation in terms of\nArchitecture      performance, business, data, services, technology, and security, and lays out\n                  a plan for transitioning from the current state to the desired future state. It\n                  captures and clarifies how various business processes, information system\n                  components, and people work together to accomplish the mission of the\n                  Corporation.\n\nFederal           The Federal Information Security Management Act of 2002 (title III, E-\nInformation       Government Act of 2002), Pub. L. No. 107-347, dated December 17, 2002,\nSecurity          requires federal agencies, including the FDIC, to develop, document, and\nManagement Act    implement an agency-wide information security program that provides\n(FISMA)           security for the information and systems that support the operations and\n                  assets of the agency. In addition, FISMA requires agencies to perform\n                  annual independent evaluations of their information security programs and\n                  practices.\n\n\n                                             21\n\x0c                                                                                      Appendix 2\n\n                                Glossary of Terms\nGeneral Support      An interconnected set of information resources under the same direct\nSystem (GSS)         management control that shares common functionality. A GSS normally\n                     includes hardware, software, information, data, applications,\n                     communications, and people.\n\nInformation      There are 12 ISMs throughout the FDIC, representing the FDIC\nSecurity Manager divisions and offices. The DIT ISMs support DIT as well as the FDIC\xe2\x80\x99s\n(ISM)            executive offices. ISMs assess the level of security in information\n                 systems, determine which are major applications, ensure that security\n                 requirements are addressed, and promote compliance with FDIC security\n                 policies and procedures.\n\nInformation          The leadership, organizational structures and processes that ensure IT\nTechnology (IT)      supports the FDIC\xe2\x80\x99s strategies and objectives.\nGovernance\n\nLeast Privilege      The practice of restricting user access (to data files, to processing capability,\n                     or to peripherals) or type of access (read, write, execute, delete) to the\n                     minimum necessary to perform a user\xe2\x80\x99s job.\n\nMajor                An application that requires special attention to security due to the risk and\nApplication          magnitude of harm resulting from the loss or misuse of, or unauthorized\n                     access to, or modification of the information in the application.\n\nMinor                An application, other than a major application, that requires attention to\nApplication          security due to the risk and magnitude of harm resulting from the loss,\n                     misuse, or unauthorized access to or modification of the information in the\n                     application. Such applications are typically part of a GSS or major\n                     application.\nNational Institute   A non-regulatory federal agency within the Department of Commerce\xe2\x80\x99s\nof Standards and     Technology Administration. As part of its responsibilities, NIST develops\nTechnology           and publishes technical, physical, administrative, and management\n(NIST)               standards and guidelines for the cost-effective security and privacy of\n                     sensitive, but unclassified, information in federal computer systems.\n\nOracle\xc2\xae              A web browser-based rapid application development tool provided as part\nApplication          of the Oracle\xc2\xae Database software.\nExpress (APEX)\n\nPersonally           Any information maintained by an agency about an individual, including,\nIdentifiable         but not limited to, education, financial transactions, medical history, and\nInformation (PII)    criminal or employment history and information that can be used to\n                     distinguish or trace an individual\xe2\x80\x99s identity, such as their name, Social\n                     Security number, date and place of birth, etc., including any other personal\n                     information that is linked or linkable to an individual. The definition of PII\n                     is similar in meaning to the definition of the term \xe2\x80\x9cinformation in\n                     identifiable form,\xe2\x80\x9d as used in the E-Government Act of 2002.\n\n                                                22\n\x0c                                                                                      Appendix 2\n\n                               Glossary of Terms\nPrivacy Impact      A process for (1) examining the risks and ramifications of using information\nAssessment (PIA)    technology to collect, maintain, and disseminate PII from or about members\n                    of the public and (2) identifying and evaluating protections and alternative\n                    processes to mitigate the impact to privacy of collecting such information.\n                    The requirement for PIAs flows from Section 208 of the E-Government Act\n                    of 2002, which states that agencies (including the FDIC) are required to\n                    conduct\xe2\x80\x94prior to developing or acquiring information technology\n                    containing PII\xe2\x80\x94an assessment of the agencies\xe2\x80\x99 use of such PII by the\n                    technology at issue.\n\nPrivacy              A preliminary analysis to determine whether a PIA, or any other privacy\nThreshold            compliance documents, is required.\nAnalysis (PTA)\n\nProduction          The end-user environment containing the current version of an application\nEnvironment         that has successfully passed testing and has received approval for promotion\n                    into the environment.\n\nRational Unified A comprehensive process framework that provides industry-tested\nProcess\xc2\xae (RUP\xc2\xae) practices for software and systems delivery and implementation and for\n                 effective project management. RUP\xc2\xae is the standard systems development\n                 life cycle methodology used by DIT for the information technology projects\n                 it manages. Currently, only DIT is required to use this standard.\n\nRegional Office     Created in 1996 to fulfill management information and automation needs in\nManagement          the operations of each RMS regional office, ROMIGs provide senior\nInformation         regional management with a highly specialized and flexible resource to\nGroups              meet RMS information demands.\n(ROMIGs)\nRisk                The process of identifying risk, assessing risk, and taking steps to reduce\nManagement          risk to an acceptable level in order to protect information resources.\n\nSection 508         Section 508 of the Rehabilitation Act (Pub. L. 93-112, as added Pub. L. 99-\n                    506, and codified to 29 U.S.C. \xc2\xa7 794d) requires, in general, that agencies\n                    ensure that information technology that they develop or acquire be as\n                    accessible to persons with disabilities as it is to persons without disabilities.\n\nSecurity            FISMA requires federal agencies to categorize their information assets in\nCategory            accordance with NIST standards. NIST Federal Information Processing\n                    Standard Publication (FIPS PUB) 199, Standards for Security\n                    Categorization of Federal Information and Information Systems, which the\n                    FDIC has adopted as policy, sets forth standards for categorizing federal\n                    information and information systems based on the FISMA objectives of\n                    providing appropriate levels of information security according to a range of\n                    risk levels. The publication defines three levels of potential impact (i.e.,\n                    High, Moderate, and Low) that could occur should there be a breach of\n                    security (i.e., a loss of confidentiality, integrity, or availability). The\n                    FDIC\xe2\x80\x99s approach for assigning impact-level ratings is defined in\n\n                                               23\n\x0c                                                                                   Appendix 2\n\n                             Glossary of Terms\n                   Circular 1360.8, Information Security Categorization. Categorizing\n                   information and information systems is a critical first step in establishing\n                   appropriate security because the categorization is used to determine the\n                   minimum set of baseline security controls required to protect the\n                   information and information systems.\n\nSensitive          Any information, the loss, misuse, or unauthorized access to or modification\nInformation        of which could adversely impact the interests of FDIC in carrying out its\n                   programs or the privacy to which individuals are entitled. Such\n                   information includes PII; confidential financial information from third\n                   parties; as well as information about insurance assessments, resolution and\n                   receivership activities, and enforcement, legal, and contracting activities.\n\nSeparation of      Addresses the potential for abuse of authorized privileges and helps to\nDuties             reduce the risk of malevolent activity without collusion. In the context of\n                   information technology, separation of duties includes, for example:\n                   (i) dividing mission functions and information system support functions\n                   among different individuals and/or roles; (ii) conducting information system\n                   support functions with different individuals (e.g., system management,\n                   programming, configuration management, quality assurance and testing,\n                   and network security); and (iii) ensuring security personnel administering\n                   access control functions do not also administer audit functions.\n\nSystems            The phases included in the life of an information system. A typical SDLC\nDevelopment Life   includes five phases: initiation, development/acquisition,\nCycle (SDLC)       implementation/assessment, operations/maintenance, and disposal. Each\n                   phase involves specific tasks and work products and may be repeated over\n                   the life of the information system.\n\nWork Products      Work products, as that term is used in this report, refers to SDLC\n                   documents, such as IT project proposals, checklists, ASAs, PTAs, testing\n                   plans and summaries, etc.\n\n\n\n\n                                              24\n\x0c                                                                 Appendix 3\n\n                 Acronyms and Abbreviations\nAcronym or\nAbbreviation   Explanation\nAPEX           Application Express\nBADS           Business Analysis and Decision Support\nBIS            Business Information Systems\nBPM            Business Program Management\nCIO            Chief Information Officer\nCIRC           Capital Investment Review Committee\nDIT            Division of Information Technology\nDOA            Division of Administration\nDRR            Division of Resolutions and Receiverships\nDSC            Division of Supervision and Consumer Protection\nEA             Enterprise Architecture\nEA-Rep         Enterprise Architecture Repository\nFDIC           Federal Deposit Insurance Corporation\nFISMA          Federal Information Security Management Act\nISM            Information Security Manager\nISPS           Information Security and Privacy Staff\nIT             Information Technology\nMOU            Memorandum of Understanding\nNIST           National Institute of Standards and Technology\nPII            Personally Identifiable Information\nPRC            RMS IT Portfolio Review Committee\nPub. L.        Public Law\nRMS            Division of Risk Management Supervision\nROMIGs         Regional Office Management Information Groups\nRUP\xc2\xae           Rational Unified Process\xc2\xae\nSDLC           Systems Development Life Cycle\nSGB            DRR Systems Governance Board\nU.S.C.         United States Code\n\n\n\n\n                                         25\n\x0c                                                                                            Appendix 4\n\n                                       Corporation Comments\n\n\n\n\nFederal Deposit Insurance Corporation\n3501 Fairfax Drive, Arlington VA. 22226-3500                                           Chief Information Officer\n\n DATE:                September 6, 2013\n\n TO:                  Stephen M. Beard\n                      Deputy Inspector General for Audits and Evaluations\n\nFROM:                 Martin D. Henning /Signed/\n                      Acting Chief Information Officer\n\nSUBJECT:               Management Response to the Draft Evaluation Report Entitled,\n                       The FDIC\xe2\x80\x99s Controls Over Business Unit-Led Application Development Activities\n                       (Assignment No. 2013-018)\n\n Thank you for the opportunity to comment on the Office of Inspector General\xe2\x80\x99s (OIG)\n August 2, 2013 draft report on FDIC\xe2\x80\x99s controls over business unit-led application development.\n In its report, the OIG made three recommendations to the Chief Information Officer (CIO).\n Based on the overall results of the audit, the CIO agrees that additional steps should be taken to\n enhance the controls supporting the FDIC\xe2\x80\x99s business unit-led application development activities.\n\n Specifically, we agree that all FDIC applications should be recorded in a corporate database, that\n the start of application development should be better governed, that application deployment\n should be better governed, and that the costs of development should be better managed. We\n agree that a flexible system development lifecycle standard should be used to achieve these\n objectives. Finally, we agree that a review of existing applications developed outside of DIT\n should be completed to ensure they comply with FDIC security policies.\n\n We carefully considered and concur with each of the recommendations made by the audit team.\n Corrective actions for each recommendation are planned or in process. Our specific responses\n for each of the recommendations are provided below.\n\n\n\n\n                                                    26\n\x0c                       Appendix 4\n\nCorporation Comments\n\n\n\n\n         27\n\x0c                       Appendix 4\n\nCorporation Comments\n\n\n\n\n         28\n\x0c                                                                            Appendix 5\n\n      Summary of the Corporation\xe2\x80\x99s Corrective Actions\nThis table presents management\xe2\x80\x99s response to the recommendations in the report and the\nstatus of the recommendations as of the date of report issuance.\n\nRec.     Corrective Action: Taken or          Expected         Monetary   Resolved:a   Open or\nNo.                Planned                  Completion Date    Benefits   Yes or No    Closedb\n 1.    The FDIC will issue a corporate      January 31, 2014     N/A         Yes        Open\n       policy on business unit-led\n       application development that\n       requires the FDIC\xe2\x80\x99s business units\n       to coordinate with DIT to ensure\n       that applications developed by\n       business units are recorded in the\n       Corporation\xe2\x80\x99s information systems\n       inventory, when appropriate. The\n       policy will also require the\n       application of existing written IT\n       governance processes at levels\n       appropriate for the size,\n       complexity, and sensitivity of\n       applications and provide direction\n       for tracking and reporting\n       application development costs.\n 2.    The planned corporate policy on      January 31, 2014     N/A         Yes        Open\n       business unit-led application\n       development will direct the\n       FDIC\xe2\x80\x99s business units developing\n       applications and DIT\xe2\x80\x99s Project\n       Management Office to work\n       together to apply the FDIC\xe2\x80\x99s\n       existing SDLC commensurate with\n       the risks and complexities of new\n       development activities.\n 3.    DIT will coordinate with DRR and     April 15, 2014       N/A         Yes        Open\n       RMS to record business-developed\n       applications in the Corporation\xe2\x80\x99s\n       information systems inventory, as\n       appropriate. DIT will review DRR\n       and RMS identified business-\n       developed applications for non-\n       compliance with FDIC security\n       policies. If instances of non-\n       compliance are identified, such\n       instances will be catalogued and\n       communicated to the appropriate\n       division(s). Any remedial actions\n       will be assigned to an owner and\n       milestones will be established\n\n                                              29\n\x0c                                                                                              Appendix 5\n\n      Summary of the Corporation\xe2\x80\x99s Corrective Actions\n\nRec.         Corrective Action: Taken or              Expected              Monetary      Resolved:a     Open or\nNo.                    Planned                      Completion Date         Benefits       Yes or No     Closedb\n          commensurate with the severity of\n          the non-compliance.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                   corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but alternative action meets the intent\n                   of the recommendation.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount.\n                   Monetary benefits are considered resolved as long as management provides an amount.\nb\n  Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective\nactions are complete or (b) in the case of recommendations that the OIG determines to be particularly\nsignificant, when the OIG confirms that corrective actions have been completed and are responsive.\n\n\n\n\n                                                      30\n\x0c'